1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Server main loop for handling the interactive session. 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 * 13 * SSH2 support by Markus Friedl. 14 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 #include "includes.h" 38 RCSID("$OpenBSD: serverloop.c,v 1.124 2005/12/13 15:03:02 reyk Exp $"); 39 40 #include "xmalloc.h" 41 #include "packet.h" 42 #include "buffer.h" 43 #include "log.h" 44 #include "servconf.h" 45 #include "canohost.h" 46 #include "sshpty.h" 47 #include "channels.h" 48 #include "compat.h" 49 #include "ssh1.h" 50 #include "ssh2.h" 51 #include "auth.h" 52 #include "session.h" 53 #include "dispatch.h" 54 #include "auth-options.h" 55 #include "serverloop.h" 56 #include "misc.h" 57 #include "kex.h" 58 59 extern ServerOptions options; 60 61 /* XXX */ 62 extern Kex *xxx_kex; 63 extern Authctxt *the_authctxt; 64 extern int use_privsep; 65 66 static Buffer stdin_buffer; /* Buffer for stdin data. */ 67 static Buffer stdout_buffer; /* Buffer for stdout data. */ 68 static Buffer stderr_buffer; /* Buffer for stderr data. */ 69 static int fdin; /* Descriptor for stdin (for writing) */ 70 static int fdout; /* Descriptor for stdout (for reading); 71 May be same number as fdin. */ 72 static int fderr; /* Descriptor for stderr. May be -1. */ 73 static long stdin_bytes = 0; /* Number of bytes written to stdin. */ 74 static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */ 75 static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */ 76 static long fdout_bytes = 0; /* Number of stdout bytes read from program. */ 77 static int stdin_eof = 0; /* EOF message received from client. */ 78 static int fdout_eof = 0; /* EOF encountered reading from fdout. */ 79 static int fderr_eof = 0; /* EOF encountered readung from fderr. */ 80 static int fdin_is_tty = 0; /* fdin points to a tty. */ 81 static int connection_in; /* Connection to client (input). */ 82 static int connection_out; /* Connection to client (output). */ 83 static int connection_closed = 0; /* Connection to client closed. */ 84 static u_int buffer_high; /* "Soft" max buffer size. */ 85 static int client_alive_timeouts = 0; 86 87 /* 88 * This SIGCHLD kludge is used to detect when the child exits. The server 89 * will exit after that, as soon as forwarded connections have terminated. 90 */ 91 92 static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */ 93 94 /* Cleanup on signals (!use_privsep case only) */ 95 static volatile sig_atomic_t received_sigterm = 0; 96 97 /* prototypes */ 98 static void server_init_dispatch(void); 99 100 /* 101 * we write to this pipe if a SIGCHLD is caught in order to avoid 102 * the race between select() and child_terminated 103 */ 104 static int notify_pipe[2]; 105 static void 106 notify_setup(void) 107 { 108 if (pipe(notify_pipe) < 0) { 109 error("pipe(notify_pipe) failed %s", strerror(errno)); 110 } else if ((fcntl(notify_pipe[0], F_SETFD, 1) == -1) || 111 (fcntl(notify_pipe[1], F_SETFD, 1) == -1)) { 112 error("fcntl(notify_pipe, F_SETFD) failed %s", strerror(errno)); 113 close(notify_pipe[0]); 114 close(notify_pipe[1]); 115 } else { 116 set_nonblock(notify_pipe[0]); 117 set_nonblock(notify_pipe[1]); 118 return; 119 } 120 notify_pipe[0] = -1; /* read end */ 121 notify_pipe[1] = -1; /* write end */ 122 } 123 static void 124 notify_parent(void) 125 { 126 if (notify_pipe[1] != -1) 127 write(notify_pipe[1], "", 1); 128 } 129 static void 130 notify_prepare(fd_set *readset) 131 { 132 if (notify_pipe[0] != -1) 133 FD_SET(notify_pipe[0], readset); 134 } 135 static void 136 notify_done(fd_set *readset) 137 { 138 char c; 139 140 if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) 141 while (read(notify_pipe[0], &c, 1) != -1) 142 debug2("notify_done: reading"); 143 } 144 145 static void 146 sigchld_handler(int sig) 147 { 148 int save_errno = errno; 149 debug("Received SIGCHLD."); 150 child_terminated = 1; 151 #ifndef _UNICOS 152 mysignal(SIGCHLD, sigchld_handler); 153 #endif 154 notify_parent(); 155 errno = save_errno; 156 } 157 158 static void 159 sigterm_handler(int sig) 160 { 161 received_sigterm = sig; 162 } 163 164 /* 165 * Make packets from buffered stderr data, and buffer it for sending 166 * to the client. 167 */ 168 static void 169 make_packets_from_stderr_data(void) 170 { 171 u_int len; 172 173 /* Send buffered stderr data to the client. */ 174 while (buffer_len(&stderr_buffer) > 0 && 175 packet_not_very_much_data_to_write()) { 176 len = buffer_len(&stderr_buffer); 177 if (packet_is_interactive()) { 178 if (len > 512) 179 len = 512; 180 } else { 181 /* Keep the packets at reasonable size. */ 182 if (len > packet_get_maxsize()) 183 len = packet_get_maxsize(); 184 } 185 packet_start(SSH_SMSG_STDERR_DATA); 186 packet_put_string(buffer_ptr(&stderr_buffer), len); 187 packet_send(); 188 buffer_consume(&stderr_buffer, len); 189 stderr_bytes += len; 190 } 191 } 192 193 /* 194 * Make packets from buffered stdout data, and buffer it for sending to the 195 * client. 196 */ 197 static void 198 make_packets_from_stdout_data(void) 199 { 200 u_int len; 201 202 /* Send buffered stdout data to the client. */ 203 while (buffer_len(&stdout_buffer) > 0 && 204 packet_not_very_much_data_to_write()) { 205 len = buffer_len(&stdout_buffer); 206 if (packet_is_interactive()) { 207 if (len > 512) 208 len = 512; 209 } else { 210 /* Keep the packets at reasonable size. */ 211 if (len > packet_get_maxsize()) 212 len = packet_get_maxsize(); 213 } 214 packet_start(SSH_SMSG_STDOUT_DATA); 215 packet_put_string(buffer_ptr(&stdout_buffer), len); 216 packet_send(); 217 buffer_consume(&stdout_buffer, len); 218 stdout_bytes += len; 219 } 220 } 221 222 static void 223 client_alive_check(void) 224 { 225 int channel_id; 226 227 /* timeout, check to see how many we have had */ 228 if (++client_alive_timeouts > options.client_alive_count_max) 229 packet_disconnect("Timeout, your session not responding."); 230 231 /* 232 * send a bogus global/channel request with "wantreply", 233 * we should get back a failure 234 */ 235 if ((channel_id = channel_find_open()) == -1) { 236 packet_start(SSH2_MSG_GLOBAL_REQUEST); 237 packet_put_cstring("keepalive@openssh.com"); 238 packet_put_char(1); /* boolean: want reply */ 239 } else { 240 channel_request_start(channel_id, "keepalive@openssh.com", 1); 241 } 242 packet_send(); 243 } 244 245 /* 246 * Sleep in select() until we can do something. This will initialize the 247 * select masks. Upon return, the masks will indicate which descriptors 248 * have data or can accept data. Optionally, a maximum time can be specified 249 * for the duration of the wait (0 = infinite). 250 */ 251 static void 252 wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 253 u_int *nallocp, u_int max_time_milliseconds) 254 { 255 struct timeval tv, *tvp; 256 int ret; 257 int client_alive_scheduled = 0; 258 259 /* 260 * if using client_alive, set the max timeout accordingly, 261 * and indicate that this particular timeout was for client 262 * alive by setting the client_alive_scheduled flag. 263 * 264 * this could be randomized somewhat to make traffic 265 * analysis more difficult, but we're not doing it yet. 266 */ 267 if (compat20 && 268 max_time_milliseconds == 0 && options.client_alive_interval) { 269 client_alive_scheduled = 1; 270 max_time_milliseconds = options.client_alive_interval * 1000; 271 } 272 273 /* Allocate and update select() masks for channel descriptors. */ 274 channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, 0); 275 276 if (compat20) { 277 #if 0 278 /* wrong: bad condition XXX */ 279 if (channel_not_very_much_buffered_data()) 280 #endif 281 FD_SET(connection_in, *readsetp); 282 } else { 283 /* 284 * Read packets from the client unless we have too much 285 * buffered stdin or channel data. 286 */ 287 if (buffer_len(&stdin_buffer) < buffer_high && 288 channel_not_very_much_buffered_data()) 289 FD_SET(connection_in, *readsetp); 290 /* 291 * If there is not too much data already buffered going to 292 * the client, try to get some more data from the program. 293 */ 294 if (packet_not_very_much_data_to_write()) { 295 if (!fdout_eof) 296 FD_SET(fdout, *readsetp); 297 if (!fderr_eof) 298 FD_SET(fderr, *readsetp); 299 } 300 /* 301 * If we have buffered data, try to write some of that data 302 * to the program. 303 */ 304 if (fdin != -1 && buffer_len(&stdin_buffer) > 0) 305 FD_SET(fdin, *writesetp); 306 } 307 notify_prepare(*readsetp); 308 309 /* 310 * If we have buffered packet data going to the client, mark that 311 * descriptor. 312 */ 313 if (packet_have_data_to_write()) 314 FD_SET(connection_out, *writesetp); 315 316 /* 317 * If child has terminated and there is enough buffer space to read 318 * from it, then read as much as is available and exit. 319 */ 320 if (child_terminated && packet_not_very_much_data_to_write()) 321 if (max_time_milliseconds == 0 || client_alive_scheduled) 322 max_time_milliseconds = 100; 323 324 if (max_time_milliseconds == 0) 325 tvp = NULL; 326 else { 327 tv.tv_sec = max_time_milliseconds / 1000; 328 tv.tv_usec = 1000 * (max_time_milliseconds % 1000); 329 tvp = &tv; 330 } 331 332 /* Wait for something to happen, or the timeout to expire. */ 333 ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); 334 335 if (ret == -1) { 336 memset(*readsetp, 0, *nallocp); 337 memset(*writesetp, 0, *nallocp); 338 if (errno != EINTR) 339 error("select: %.100s", strerror(errno)); 340 } else if (ret == 0 && client_alive_scheduled) 341 client_alive_check(); 342 343 notify_done(*readsetp); 344 } 345 346 /* 347 * Processes input from the client and the program. Input data is stored 348 * in buffers and processed later. 349 */ 350 static void 351 process_input(fd_set * readset) 352 { 353 int len; 354 char buf[16384]; 355 356 /* Read and buffer any input data from the client. */ 357 if (FD_ISSET(connection_in, readset)) { 358 len = read(connection_in, buf, sizeof(buf)); 359 if (len == 0) { 360 verbose("Connection closed by %.100s", 361 get_remote_ipaddr()); 362 connection_closed = 1; 363 if (compat20) 364 return; 365 cleanup_exit(255); 366 } else if (len < 0) { 367 if (errno != EINTR && errno != EAGAIN) { 368 verbose("Read error from remote host " 369 "%.100s: %.100s", 370 get_remote_ipaddr(), strerror(errno)); 371 cleanup_exit(255); 372 } 373 } else { 374 /* Buffer any received data. */ 375 packet_process_incoming(buf, len); 376 } 377 } 378 if (compat20) 379 return; 380 381 /* Read and buffer any available stdout data from the program. */ 382 if (!fdout_eof && FD_ISSET(fdout, readset)) { 383 len = read(fdout, buf, sizeof(buf)); 384 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { 385 /* do nothing */ 386 } else if (len <= 0) { 387 fdout_eof = 1; 388 } else { 389 buffer_append(&stdout_buffer, buf, len); 390 fdout_bytes += len; 391 } 392 } 393 /* Read and buffer any available stderr data from the program. */ 394 if (!fderr_eof && FD_ISSET(fderr, readset)) { 395 len = read(fderr, buf, sizeof(buf)); 396 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { 397 /* do nothing */ 398 } else if (len <= 0) { 399 fderr_eof = 1; 400 } else { 401 buffer_append(&stderr_buffer, buf, len); 402 } 403 } 404 } 405 406 /* 407 * Sends data from internal buffers to client program stdin. 408 */ 409 static void 410 process_output(fd_set * writeset) 411 { 412 struct termios tio; 413 u_char *data; 414 u_int dlen; 415 int len; 416 417 /* Write buffered data to program stdin. */ 418 if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) { 419 data = buffer_ptr(&stdin_buffer); 420 dlen = buffer_len(&stdin_buffer); 421 len = write(fdin, data, dlen); 422 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { 423 /* do nothing */ 424 } else if (len <= 0) { 425 if (fdin != fdout) 426 close(fdin); 427 else 428 shutdown(fdin, SHUT_WR); /* We will no longer send. */ 429 fdin = -1; 430 } else { 431 /* Successful write. */ 432 if (fdin_is_tty && dlen >= 1 && data[0] != '\r' && 433 tcgetattr(fdin, &tio) == 0 && 434 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 435 /* 436 * Simulate echo to reduce the impact of 437 * traffic analysis 438 */ 439 packet_send_ignore(len); 440 packet_send(); 441 } 442 /* Consume the data from the buffer. */ 443 buffer_consume(&stdin_buffer, len); 444 /* Update the count of bytes written to the program. */ 445 stdin_bytes += len; 446 } 447 } 448 /* Send any buffered packet data to the client. */ 449 if (FD_ISSET(connection_out, writeset)) 450 packet_write_poll(); 451 } 452 453 /* 454 * Wait until all buffered output has been sent to the client. 455 * This is used when the program terminates. 456 */ 457 static void 458 drain_output(void) 459 { 460 /* Send any buffered stdout data to the client. */ 461 if (buffer_len(&stdout_buffer) > 0) { 462 packet_start(SSH_SMSG_STDOUT_DATA); 463 packet_put_string(buffer_ptr(&stdout_buffer), 464 buffer_len(&stdout_buffer)); 465 packet_send(); 466 /* Update the count of sent bytes. */ 467 stdout_bytes += buffer_len(&stdout_buffer); 468 } 469 /* Send any buffered stderr data to the client. */ 470 if (buffer_len(&stderr_buffer) > 0) { 471 packet_start(SSH_SMSG_STDERR_DATA); 472 packet_put_string(buffer_ptr(&stderr_buffer), 473 buffer_len(&stderr_buffer)); 474 packet_send(); 475 /* Update the count of sent bytes. */ 476 stderr_bytes += buffer_len(&stderr_buffer); 477 } 478 /* Wait until all buffered data has been written to the client. */ 479 packet_write_wait(); 480 } 481 482 static void 483 process_buffered_input_packets(void) 484 { 485 dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL); 486 } 487 488 /* 489 * Performs the interactive session. This handles data transmission between 490 * the client and the program. Note that the notion of stdin, stdout, and 491 * stderr in this function is sort of reversed: this function writes to 492 * stdin (of the child program), and reads from stdout and stderr (of the 493 * child program). 494 */ 495 void 496 server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) 497 { 498 fd_set *readset = NULL, *writeset = NULL; 499 int max_fd = 0; 500 u_int nalloc = 0; 501 int wait_status; /* Status returned by wait(). */ 502 pid_t wait_pid; /* pid returned by wait(). */ 503 int waiting_termination = 0; /* Have displayed waiting close message. */ 504 u_int max_time_milliseconds; 505 u_int previous_stdout_buffer_bytes; 506 u_int stdout_buffer_bytes; 507 int type; 508 509 debug("Entering interactive session."); 510 511 /* Initialize the SIGCHLD kludge. */ 512 child_terminated = 0; 513 mysignal(SIGCHLD, sigchld_handler); 514 515 if (!use_privsep) { 516 signal(SIGTERM, sigterm_handler); 517 signal(SIGINT, sigterm_handler); 518 signal(SIGQUIT, sigterm_handler); 519 } 520 521 /* Initialize our global variables. */ 522 fdin = fdin_arg; 523 fdout = fdout_arg; 524 fderr = fderr_arg; 525 526 /* nonblocking IO */ 527 set_nonblock(fdin); 528 set_nonblock(fdout); 529 /* we don't have stderr for interactive terminal sessions, see below */ 530 if (fderr != -1) 531 set_nonblock(fderr); 532 533 if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin)) 534 fdin_is_tty = 1; 535 536 connection_in = packet_get_connection_in(); 537 connection_out = packet_get_connection_out(); 538 539 notify_setup(); 540 541 previous_stdout_buffer_bytes = 0; 542 543 /* Set approximate I/O buffer size. */ 544 if (packet_is_interactive()) 545 buffer_high = 4096; 546 else 547 buffer_high = 64 * 1024; 548 549 #if 0 550 /* Initialize max_fd to the maximum of the known file descriptors. */ 551 max_fd = MAX(connection_in, connection_out); 552 max_fd = MAX(max_fd, fdin); 553 max_fd = MAX(max_fd, fdout); 554 if (fderr != -1) 555 max_fd = MAX(max_fd, fderr); 556 #endif 557 558 /* Initialize Initialize buffers. */ 559 buffer_init(&stdin_buffer); 560 buffer_init(&stdout_buffer); 561 buffer_init(&stderr_buffer); 562 563 /* 564 * If we have no separate fderr (which is the case when we have a pty 565 * - there we cannot make difference between data sent to stdout and 566 * stderr), indicate that we have seen an EOF from stderr. This way 567 * we don't need to check the descriptor everywhere. 568 */ 569 if (fderr == -1) 570 fderr_eof = 1; 571 572 server_init_dispatch(); 573 574 /* Main loop of the server for the interactive session mode. */ 575 for (;;) { 576 577 /* Process buffered packets from the client. */ 578 process_buffered_input_packets(); 579 580 /* 581 * If we have received eof, and there is no more pending 582 * input data, cause a real eof by closing fdin. 583 */ 584 if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) { 585 if (fdin != fdout) 586 close(fdin); 587 else 588 shutdown(fdin, SHUT_WR); /* We will no longer send. */ 589 fdin = -1; 590 } 591 /* Make packets from buffered stderr data to send to the client. */ 592 make_packets_from_stderr_data(); 593 594 /* 595 * Make packets from buffered stdout data to send to the 596 * client. If there is very little to send, this arranges to 597 * not send them now, but to wait a short while to see if we 598 * are getting more data. This is necessary, as some systems 599 * wake up readers from a pty after each separate character. 600 */ 601 max_time_milliseconds = 0; 602 stdout_buffer_bytes = buffer_len(&stdout_buffer); 603 if (stdout_buffer_bytes != 0 && stdout_buffer_bytes < 256 && 604 stdout_buffer_bytes != previous_stdout_buffer_bytes) { 605 /* try again after a while */ 606 max_time_milliseconds = 10; 607 } else { 608 /* Send it now. */ 609 make_packets_from_stdout_data(); 610 } 611 previous_stdout_buffer_bytes = buffer_len(&stdout_buffer); 612 613 /* Send channel data to the client. */ 614 if (packet_not_very_much_data_to_write()) 615 channel_output_poll(); 616 617 /* 618 * Bail out of the loop if the program has closed its output 619 * descriptors, and we have no more data to send to the 620 * client, and there is no pending buffered data. 621 */ 622 if (fdout_eof && fderr_eof && !packet_have_data_to_write() && 623 buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) { 624 if (!channel_still_open()) 625 break; 626 if (!waiting_termination) { 627 const char *s = "Waiting for forwarded connections to terminate...\r\n"; 628 char *cp; 629 waiting_termination = 1; 630 buffer_append(&stderr_buffer, s, strlen(s)); 631 632 /* Display list of open channels. */ 633 cp = channel_open_message(); 634 buffer_append(&stderr_buffer, cp, strlen(cp)); 635 xfree(cp); 636 } 637 } 638 max_fd = MAX(connection_in, connection_out); 639 max_fd = MAX(max_fd, fdin); 640 max_fd = MAX(max_fd, fdout); 641 max_fd = MAX(max_fd, fderr); 642 max_fd = MAX(max_fd, notify_pipe[0]); 643 644 /* Sleep in select() until we can do something. */ 645 wait_until_can_do_something(&readset, &writeset, &max_fd, 646 &nalloc, max_time_milliseconds); 647 648 if (received_sigterm) { 649 logit("Exiting on signal %d", received_sigterm); 650 /* Clean up sessions, utmp, etc. */ 651 cleanup_exit(255); 652 } 653 654 /* Process any channel events. */ 655 channel_after_select(readset, writeset); 656 657 /* Process input from the client and from program stdout/stderr. */ 658 process_input(readset); 659 660 /* Process output to the client and to program stdin. */ 661 process_output(writeset); 662 } 663 if (readset) 664 xfree(readset); 665 if (writeset) 666 xfree(writeset); 667 668 /* Cleanup and termination code. */ 669 670 /* Wait until all output has been sent to the client. */ 671 drain_output(); 672 673 debug("End of interactive session; stdin %ld, stdout (read %ld, sent %ld), stderr %ld bytes.", 674 stdin_bytes, fdout_bytes, stdout_bytes, stderr_bytes); 675 676 /* Free and clear the buffers. */ 677 buffer_free(&stdin_buffer); 678 buffer_free(&stdout_buffer); 679 buffer_free(&stderr_buffer); 680 681 /* Close the file descriptors. */ 682 if (fdout != -1) 683 close(fdout); 684 fdout = -1; 685 fdout_eof = 1; 686 if (fderr != -1) 687 close(fderr); 688 fderr = -1; 689 fderr_eof = 1; 690 if (fdin != -1) 691 close(fdin); 692 fdin = -1; 693 694 channel_free_all(); 695 696 /* We no longer want our SIGCHLD handler to be called. */ 697 mysignal(SIGCHLD, SIG_DFL); 698 699 while ((wait_pid = waitpid(-1, &wait_status, 0)) < 0) 700 if (errno != EINTR) 701 packet_disconnect("wait: %.100s", strerror(errno)); 702 if (wait_pid != pid) 703 error("Strange, wait returned pid %ld, expected %ld", 704 (long)wait_pid, (long)pid); 705 706 /* Check if it exited normally. */ 707 if (WIFEXITED(wait_status)) { 708 /* Yes, normal exit. Get exit status and send it to the client. */ 709 debug("Command exited with status %d.", WEXITSTATUS(wait_status)); 710 packet_start(SSH_SMSG_EXITSTATUS); 711 packet_put_int(WEXITSTATUS(wait_status)); 712 packet_send(); 713 packet_write_wait(); 714 715 /* 716 * Wait for exit confirmation. Note that there might be 717 * other packets coming before it; however, the program has 718 * already died so we just ignore them. The client is 719 * supposed to respond with the confirmation when it receives 720 * the exit status. 721 */ 722 do { 723 type = packet_read(); 724 } 725 while (type != SSH_CMSG_EXIT_CONFIRMATION); 726 727 debug("Received exit confirmation."); 728 return; 729 } 730 /* Check if the program terminated due to a signal. */ 731 if (WIFSIGNALED(wait_status)) 732 packet_disconnect("Command terminated on signal %d.", 733 WTERMSIG(wait_status)); 734 735 /* Some weird exit cause. Just exit. */ 736 packet_disconnect("wait returned status %04x.", wait_status); 737 /* NOTREACHED */ 738 } 739 740 static void 741 collect_children(void) 742 { 743 pid_t pid; 744 sigset_t oset, nset; 745 int status; 746 747 /* block SIGCHLD while we check for dead children */ 748 sigemptyset(&nset); 749 sigaddset(&nset, SIGCHLD); 750 sigprocmask(SIG_BLOCK, &nset, &oset); 751 if (child_terminated) { 752 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 753 (pid < 0 && errno == EINTR)) 754 if (pid > 0) 755 session_close_by_pid(pid, status); 756 child_terminated = 0; 757 } 758 sigprocmask(SIG_SETMASK, &oset, NULL); 759 } 760 761 void 762 server_loop2(Authctxt *authctxt) 763 { 764 fd_set *readset = NULL, *writeset = NULL; 765 int rekeying = 0, max_fd, nalloc = 0; 766 767 debug("Entering interactive session for SSH2."); 768 769 mysignal(SIGCHLD, sigchld_handler); 770 child_terminated = 0; 771 connection_in = packet_get_connection_in(); 772 connection_out = packet_get_connection_out(); 773 774 if (!use_privsep) { 775 signal(SIGTERM, sigterm_handler); 776 signal(SIGINT, sigterm_handler); 777 signal(SIGQUIT, sigterm_handler); 778 } 779 780 notify_setup(); 781 782 max_fd = MAX(connection_in, connection_out); 783 max_fd = MAX(max_fd, notify_pipe[0]); 784 785 server_init_dispatch(); 786 787 for (;;) { 788 process_buffered_input_packets(); 789 790 rekeying = (xxx_kex != NULL && !xxx_kex->done); 791 792 if (!rekeying && packet_not_very_much_data_to_write()) 793 channel_output_poll(); 794 wait_until_can_do_something(&readset, &writeset, &max_fd, 795 &nalloc, 0); 796 797 if (received_sigterm) { 798 logit("Exiting on signal %d", received_sigterm); 799 /* Clean up sessions, utmp, etc. */ 800 cleanup_exit(255); 801 } 802 803 collect_children(); 804 if (!rekeying) { 805 channel_after_select(readset, writeset); 806 if (packet_need_rekeying()) { 807 debug("need rekeying"); 808 xxx_kex->done = 0; 809 kex_send_kexinit(xxx_kex); 810 } 811 } 812 process_input(readset); 813 if (connection_closed) 814 break; 815 process_output(writeset); 816 } 817 collect_children(); 818 819 if (readset) 820 xfree(readset); 821 if (writeset) 822 xfree(writeset); 823 824 /* free all channels, no more reads and writes */ 825 channel_free_all(); 826 827 /* free remaining sessions, e.g. remove wtmp entries */ 828 session_destroy_all(NULL); 829 } 830 831 static void 832 server_input_keep_alive(int type, u_int32_t seq, void *ctxt) 833 { 834 debug("Got %d/%u for keepalive", type, seq); 835 /* 836 * reset timeout, since we got a sane answer from the client. 837 * even if this was generated by something other than 838 * the bogus CHANNEL_REQUEST we send for keepalives. 839 */ 840 client_alive_timeouts = 0; 841 } 842 843 static void 844 server_input_stdin_data(int type, u_int32_t seq, void *ctxt) 845 { 846 char *data; 847 u_int data_len; 848 849 /* Stdin data from the client. Append it to the buffer. */ 850 /* Ignore any data if the client has closed stdin. */ 851 if (fdin == -1) 852 return; 853 data = packet_get_string(&data_len); 854 packet_check_eom(); 855 buffer_append(&stdin_buffer, data, data_len); 856 memset(data, 0, data_len); 857 xfree(data); 858 } 859 860 static void 861 server_input_eof(int type, u_int32_t seq, void *ctxt) 862 { 863 /* 864 * Eof from the client. The stdin descriptor to the 865 * program will be closed when all buffered data has 866 * drained. 867 */ 868 debug("EOF received for stdin."); 869 packet_check_eom(); 870 stdin_eof = 1; 871 } 872 873 static void 874 server_input_window_size(int type, u_int32_t seq, void *ctxt) 875 { 876 int row = packet_get_int(); 877 int col = packet_get_int(); 878 int xpixel = packet_get_int(); 879 int ypixel = packet_get_int(); 880 881 debug("Window change received."); 882 packet_check_eom(); 883 if (fdin != -1) 884 pty_change_window_size(fdin, row, col, xpixel, ypixel); 885 } 886 887 static Channel * 888 server_request_direct_tcpip(void) 889 { 890 Channel *c; 891 int sock; 892 char *target, *originator; 893 int target_port, originator_port; 894 895 target = packet_get_string(NULL); 896 target_port = packet_get_int(); 897 originator = packet_get_string(NULL); 898 originator_port = packet_get_int(); 899 packet_check_eom(); 900 901 debug("server_request_direct_tcpip: originator %s port %d, target %s port %d", 902 originator, originator_port, target, target_port); 903 904 /* XXX check permission */ 905 sock = channel_connect_to(target, target_port); 906 xfree(target); 907 xfree(originator); 908 if (sock < 0) 909 return NULL; 910 c = channel_new("direct-tcpip", SSH_CHANNEL_CONNECTING, 911 sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, 912 CHAN_TCP_PACKET_DEFAULT, 0, "direct-tcpip", 1); 913 return c; 914 } 915 916 static Channel * 917 server_request_tun(void) 918 { 919 Channel *c = NULL; 920 int mode, tun; 921 int sock; 922 923 mode = packet_get_int(); 924 switch (mode) { 925 case SSH_TUNMODE_POINTOPOINT: 926 case SSH_TUNMODE_ETHERNET: 927 break; 928 default: 929 packet_send_debug("Unsupported tunnel device mode."); 930 return NULL; 931 } 932 if ((options.permit_tun & mode) == 0) { 933 packet_send_debug("Server has rejected tunnel device " 934 "forwarding"); 935 return NULL; 936 } 937 938 tun = packet_get_int(); 939 if (forced_tun_device != -1) { 940 if (tun != SSH_TUNID_ANY && forced_tun_device != tun) 941 goto done; 942 tun = forced_tun_device; 943 } 944 sock = tun_open(tun, mode); 945 if (sock < 0) 946 goto done; 947 c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, 948 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); 949 c->datagram = 1; 950 #if defined(SSH_TUN_FILTER) 951 if (mode == SSH_TUNMODE_POINTOPOINT) 952 channel_register_filter(c->self, sys_tun_infilter, 953 sys_tun_outfilter); 954 #endif 955 956 done: 957 if (c == NULL) 958 packet_send_debug("Failed to open the tunnel device."); 959 return c; 960 } 961 962 static Channel * 963 server_request_session(void) 964 { 965 Channel *c; 966 967 debug("input_session_request"); 968 packet_check_eom(); 969 /* 970 * A server session has no fd to read or write until a 971 * CHANNEL_REQUEST for a shell is made, so we set the type to 972 * SSH_CHANNEL_LARVAL. Additionally, a callback for handling all 973 * CHANNEL_REQUEST messages is registered. 974 */ 975 c = channel_new("session", SSH_CHANNEL_LARVAL, 976 -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 977 0, "server-session", 1); 978 if (session_open(the_authctxt, c->self) != 1) { 979 debug("session open failed, free channel %d", c->self); 980 channel_free(c); 981 return NULL; 982 } 983 channel_register_cleanup(c->self, session_close_by_channel, 0); 984 return c; 985 } 986 987 static void 988 server_input_channel_open(int type, u_int32_t seq, void *ctxt) 989 { 990 Channel *c = NULL; 991 char *ctype; 992 int rchan; 993 u_int rmaxpack, rwindow, len; 994 995 ctype = packet_get_string(&len); 996 rchan = packet_get_int(); 997 rwindow = packet_get_int(); 998 rmaxpack = packet_get_int(); 999 1000 debug("server_input_channel_open: ctype %s rchan %d win %d max %d", 1001 ctype, rchan, rwindow, rmaxpack); 1002 1003 if (strcmp(ctype, "session") == 0) { 1004 c = server_request_session(); 1005 } else if (strcmp(ctype, "direct-tcpip") == 0) { 1006 c = server_request_direct_tcpip(); 1007 } else if (strcmp(ctype, "tun@openssh.com") == 0) { 1008 c = server_request_tun(); 1009 } 1010 if (c != NULL) { 1011 debug("server_input_channel_open: confirm %s", ctype); 1012 c->remote_id = rchan; 1013 c->remote_window = rwindow; 1014 c->remote_maxpacket = rmaxpack; 1015 if (c->type != SSH_CHANNEL_CONNECTING) { 1016 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1017 packet_put_int(c->remote_id); 1018 packet_put_int(c->self); 1019 packet_put_int(c->local_window); 1020 packet_put_int(c->local_maxpacket); 1021 packet_send(); 1022 } 1023 } else { 1024 debug("server_input_channel_open: failure %s", ctype); 1025 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1026 packet_put_int(rchan); 1027 packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); 1028 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1029 packet_put_cstring("open failed"); 1030 packet_put_cstring(""); 1031 } 1032 packet_send(); 1033 } 1034 xfree(ctype); 1035 } 1036 1037 static void 1038 server_input_global_request(int type, u_int32_t seq, void *ctxt) 1039 { 1040 char *rtype; 1041 int want_reply; 1042 int success = 0; 1043 1044 rtype = packet_get_string(NULL); 1045 want_reply = packet_get_char(); 1046 debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply); 1047 1048 /* -R style forwarding */ 1049 if (strcmp(rtype, "tcpip-forward") == 0) { 1050 struct passwd *pw; 1051 char *listen_address; 1052 u_short listen_port; 1053 1054 pw = the_authctxt->pw; 1055 if (pw == NULL || !the_authctxt->valid) 1056 fatal("server_input_global_request: no/invalid user"); 1057 listen_address = packet_get_string(NULL); 1058 listen_port = (u_short)packet_get_int(); 1059 debug("server_input_global_request: tcpip-forward listen %s port %d", 1060 listen_address, listen_port); 1061 1062 /* check permissions */ 1063 if (!options.allow_tcp_forwarding || 1064 no_port_forwarding_flag 1065 #ifndef NO_IPPORT_RESERVED_CONCEPT 1066 || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) 1067 #endif 1068 ) { 1069 success = 0; 1070 packet_send_debug("Server has disabled port forwarding."); 1071 } else { 1072 /* Start listening on the port */ 1073 success = channel_setup_remote_fwd_listener( 1074 listen_address, listen_port, options.gateway_ports); 1075 } 1076 xfree(listen_address); 1077 } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { 1078 char *cancel_address; 1079 u_short cancel_port; 1080 1081 cancel_address = packet_get_string(NULL); 1082 cancel_port = (u_short)packet_get_int(); 1083 debug("%s: cancel-tcpip-forward addr %s port %d", __func__, 1084 cancel_address, cancel_port); 1085 1086 success = channel_cancel_rport_listener(cancel_address, 1087 cancel_port); 1088 } 1089 if (want_reply) { 1090 packet_start(success ? 1091 SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE); 1092 packet_send(); 1093 packet_write_wait(); 1094 } 1095 xfree(rtype); 1096 } 1097 static void 1098 server_input_channel_req(int type, u_int32_t seq, void *ctxt) 1099 { 1100 Channel *c; 1101 int id, reply, success = 0; 1102 char *rtype; 1103 1104 id = packet_get_int(); 1105 rtype = packet_get_string(NULL); 1106 reply = packet_get_char(); 1107 1108 debug("server_input_channel_req: channel %d request %s reply %d", 1109 id, rtype, reply); 1110 1111 if ((c = channel_lookup(id)) == NULL) 1112 packet_disconnect("server_input_channel_req: " 1113 "unknown channel %d", id); 1114 if (c->type == SSH_CHANNEL_LARVAL || c->type == SSH_CHANNEL_OPEN) 1115 success = session_input_channel_req(c, rtype); 1116 if (reply) { 1117 packet_start(success ? 1118 SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); 1119 packet_put_int(c->remote_id); 1120 packet_send(); 1121 } 1122 xfree(rtype); 1123 } 1124 1125 static void 1126 server_init_dispatch_20(void) 1127 { 1128 debug("server_init_dispatch_20"); 1129 dispatch_init(&dispatch_protocol_error); 1130 dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); 1131 dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data); 1132 dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); 1133 dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data); 1134 dispatch_set(SSH2_MSG_CHANNEL_OPEN, &server_input_channel_open); 1135 dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1136 dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1137 dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &server_input_channel_req); 1138 dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); 1139 dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); 1140 /* client_alive */ 1141 dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_keep_alive); 1142 dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &server_input_keep_alive); 1143 dispatch_set(SSH2_MSG_REQUEST_FAILURE, &server_input_keep_alive); 1144 /* rekeying */ 1145 dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); 1146 } 1147 static void 1148 server_init_dispatch_13(void) 1149 { 1150 debug("server_init_dispatch_13"); 1151 dispatch_init(NULL); 1152 dispatch_set(SSH_CMSG_EOF, &server_input_eof); 1153 dispatch_set(SSH_CMSG_STDIN_DATA, &server_input_stdin_data); 1154 dispatch_set(SSH_CMSG_WINDOW_SIZE, &server_input_window_size); 1155 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close); 1156 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation); 1157 dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data); 1158 dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1159 dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1160 dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); 1161 } 1162 static void 1163 server_init_dispatch_15(void) 1164 { 1165 server_init_dispatch_13(); 1166 debug("server_init_dispatch_15"); 1167 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof); 1168 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_oclose); 1169 } 1170 static void 1171 server_init_dispatch(void) 1172 { 1173 if (compat20) 1174 server_init_dispatch_20(); 1175 else if (compat13) 1176 server_init_dispatch_13(); 1177 else 1178 server_init_dispatch_15(); 1179 } 1180